From d037a782fd04c5db41031bc4dcbc7a363a2541e4 Mon Sep 17 00:00:00 2001
From: Ming Di Leom <2809763-curben@users.noreply.gitlab.com>
Date: Tue, 8 Apr 2025 08:24:07 +0000
Subject: [PATCH] page(threat-hunting): ShareName suffix

---
 source/threat-hunting/index.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/source/threat-hunting/index.md b/source/threat-hunting/index.md
index 9d9ee50..9035d60 100644
--- a/source/threat-hunting/index.md
+++ b/source/threat-hunting/index.md
@@ -1103,7 +1103,7 @@ References: [1](https://thedfirreport.com/2023/01/23/sharefinder-how-threat-acto
 SPL:
 
 ```spl
-index="windows" source="XmlWinEventLog:Security" EventCode=5145 (ShareName IN ("\\\\*\\C", "\\\\*\\ADMIN", "\\\\*\\IPC") OR RelativeTargetName IN ("delete.me", "MSSE-*", "status_*", "postex_ssh_*", "msagent_*", "postex_*", "mojo*", "wkssvc*", "ntsvcs*", "DserNamePipe*", "SearchTextHarvester*", "scerpc*", "mypipe-*", "windows.update.manager*"))
+index="windows" source="XmlWinEventLog:Security" EventCode=5145 (ShareName IN ("\\\\*\\C$", "\\\\*\\ADMIN$", "\\\\*\\IPC$") OR RelativeTargetName IN ("delete.me", "MSSE-*", "status_*", "postex_ssh_*", "msagent_*", "postex_*", "mojo*", "wkssvc*", "ntsvcs*", "DserNamePipe*", "SearchTextHarvester*", "scerpc*", "mypipe-*", "windows.update.manager*"))
 | rex field=SubjectUserName "(?<lookup_username>[^\d+]+)"
 | eval dst_asset=Computer, lookup_username=upper(lookup_username)
 | lookup ldap_assets ip AS IpAddress OUTPUT dns AS src_asset
@@ -1114,7 +1114,7 @@ index="windows" source="XmlWinEventLog:Security" EventCode=5145 (ShareName IN ("
 With [additional mapping](https://gitlab.com/curben/splunk-scripts/-/commit/cc3e156a75519dbb3a23e0fb833c87b46c0b9409) to Endpoint Filesystem data model:
 
 ```spl
-| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Filesystem WHERE index="windows" Filesystem.signature_id=5145 (Filesystem.file_name IN ("\\\\*\\C", "\\\\*\\ADMIN", "\\\\*\\IPC") OR Filesystem.file_target IN ("delete.me", "MSSE-*", "status_*", "postex_ssh_*", "msagent_*", "postex_*", "mojo*", "wkssvc*", "ntsvcs*", "DserNamePipe*", "SearchTextHarvester*", "scerpc*", "mypipe-*", "windows.update.manager*")) BY index, host, Filesystem.file_target, Filesystem.file_name, Filesystem.file_path, Filesystem.signature_id, Filesystem.signature, Filesystem.src, Filesystem.user, _time span=1s
+| tstats summariesonly=true allow_old_summaries=true fillnull_value="unknown" count FROM datamodel=Endpoint.Filesystem WHERE index="windows" Filesystem.signature_id=5145 (Filesystem.file_name IN ("\\\\*\\C$", "\\\\*\\ADMIN$", "\\\\*\\IPC$") OR Filesystem.file_target IN ("delete.me", "MSSE-*", "status_*", "postex_ssh_*", "msagent_*", "postex_*", "mojo*", "wkssvc*", "ntsvcs*", "DserNamePipe*", "SearchTextHarvester*", "scerpc*", "mypipe-*", "windows.update.manager*")) BY index, host, Filesystem.file_target, Filesystem.file_name, Filesystem.file_path, Filesystem.signature_id, Filesystem.signature, Filesystem.src, Filesystem.user, _time span=1s
 | rename Filesystem.* AS *, signature_id AS EventCode, signature AS EventDescription, file_name AS ShareName, file_path AS ShareLocalPath, file_target AS RelativeTargetName
 ```